New Mac Malware Uses Right-to-Left Override To Trick Users

By Michael Sweeting

After a relatively long lag period without seeing any particular new and exciting Mac malware, last week we saw the surfacing of a new and interesting method of compromising the OSX system. Malware authors have taken a new approach by altering file extensions of malicious .app packages in order to trick users into thinking they are opening relatively harmless .pdf or .doc files. Changing file extensions in Mac OSX can be tricky due to a built in security feature of the OS that detects attempts to change the extension and automatically annexes the extension of its correct file or package type. So what’s the trick you may ask? Well, in order for malware authors to get around this built in OSX security feature, they are implementing what is called “right-to-left encoding” using the built in Mac OSX Character Viewer. OSX Character Viewer allows the user to very easily insert a vast array of characters and text input methods, which in this case, gives the malware author the ability to insert a fake file extension using the “right-to-left” encoding character.

So, how does this work? It is actually quite simple and can be done by just about any Mac user by following a few simple steps using the Mac OSX Character Viewer. The OSX Character Viewer contains a “right-to-left” character code that can be used for writing in languages, such as Hebrew, that are written from right-to-left as opposed to the standard left-to-right format that is used when writing in English, or many other western European languages. The “right-to-left” Unicode character code that is being used in this case is “U+202e”. By opening the OSX Character Viewer and using the Unicode character code “U+202e”, the malware author can select the encoding character and insert it when attempting to change the file extension in the name of the .app package. The catch is that the malware author has to type the desired file extension backwards in order to get the desired result. For example, in order to change an extension to “pdf”, the malware author will need to type “fdp” when using the unicode character code “U+202e”. After hitting enter to apply the change to the package name, the package will now have the .pdf extension and will have circumvented the built in security feature that appends the .app extension.

Although the malware author can use this technique to effectively change the file extension that the user sees in the Finder, the Mac OS still knows that this file is an .app package. As a part of the built-in Mac OSX Gatekeeper malware security, when a user attempts to open an .app package that has been downloaded from the internet, the OS alerts the user with a warning asking the user if they would like to continue with the .app installation. In this case however, since the .app package has been renamed using the Unicode right-to-left character encoding, the OS will display the typical warning message written completely backwards, which becomes very confusing to the user, since they can’t understand what is being asked of them. The malware author of course hopes that in the confusion, the user will simply click “open” and continue with the installation. In addition to the OSX warning message, Apple’s Gatekeeper has an additional setting that allows users to choose to only install .app packages that are signed with a valid Apple Developer ID. In the case of OSX.Janicab.A, the malicious .app package is actually signed with a legit Apple Developer ID. Although this does allow the malware author to meet the requirement of a signed .app, it also does allow Apple to easily stop this type of malware distribution in its tracks by revoking the developer account.

In the case of the new OSX.Janicab.A malware, once the user has allowed the installation of the disguised .app package, the malware drops and opens a decoy document, creates a cron job, and creates a hidden folder in the user’s home directory in order to store it’s components. The malware then connects to various malicious URLs in order to obtain the address of its command and control server. Once connected to the command and control server, the malware takes screen shots and records audio and uploads then to the remote server. In addition, the malware listens for additional commands to execute from the command and control server, so the malware author may implement additional functionality to the malware. In addition to stealing personal confidential user information, I could see this malware possibly being used to make the user’s machine part of a botnet.

After a long period of not seeing many new techniques for compromising Mac OSX, this new technique of right-to-left Unicode character encoding is a very interesting approach. It shows that malware authors are actively working to come up with new ways to circumvent Apple’s built in Gatekeeper security settings and that the creativity of malware authors will continue to pose threats to the OSX platform in the future.